I am granting the "View any database" permission when creating a new server role, but realized this permission only allows the user to view the system databases.
I am trying to create a server role that is read-only and can read any database.
Is there a way to create a user-defined server role to read user databases? Or do I have to do this through user mapping per user?
So, no is the answer, you can't assign database level permissions to server level roles, you can't even add a server role to a database role, which I find really frustrating as I've tried to do the same thing as you.
The way I ended up doing this was not by using a server role at all, I did the following:
Created an AD group for each server that I wanted read only access for
Created a login on the server for the group
Assigned the login to the db_datareader role on the model database
Assigned the login to the db_datareader role on all the pre-existing databases
Added my windows users into the AD group
This way, you can simply assign (or train your servicedesk folks to assign) users who need read only access to all databases on a server to the AD group, plus, as the role is set in the model database, they will have access to all newly created databases on the server too.
Related
My requirement I have 20 users all are configured in azure active directory resource group.
I have one Azure SQL Server under I have 3 Azure SQL Databases like Dev, QA and UAT
In Active Directory configured 20 users I need different access in each database level, some people need only read access and some people need both write and read, etc.
Please help me to do this.
Is it possible to create users group in each database level with different roles for azure active directory users?
users can login SSMS with azure active directory credentials but each user having different access in each database
you can create groups in AAD and provide the groups/users access on the database individually.
Execute the below queries in individual databases:
1)
CREATE USER [GroupName] FROM EXTERNAL PROVIDER or
CREATE USER [xyz#abc.com] FROM EXTERNAL PROVIDER
2)
exec sp_addrolemember 'db_datareader', '<>' or
exec sp_addrolemember 'dbowner', '<>' etc based on the roles which you want to assign.
Note :
Since the user is not created at server level and directly at databases level, while trying to connect via SSMS ,
Put the database name explicitly.
Per my experience, you need manually configure the AAD users with different permissions or database role in each database.
In addition, you need connect to the Azure SQL with Azure AD admin account, only the admin account can do the operations for each database.
For example, one of the AAD user 'aa#abc.com' only needs have the read permission in database Dev but needs read/writer permission in database QA and UAT. User 'bb#abc.com' needs read/writer permission in database 'Dev' and read permission in 'QA' and 'UAT'. In each database, different users are derived to two roles. Then we can not configure group level permission for these AAD users in each database.
After doing that, all the users in your AAD group will have the different permissions in different database. When connect to the database with SSMS, current user can see all the databases which he has the permission to access. You also can choose the specific database in SSMS connection properties like #Nandan said.
HTH.
I have a question about security in SQL Server.
Is it possible to create a login with only authorization to attach or detach databases?
I don't want it as sysadmin.
If you check the documentation, you will see that for attaching a database we need:
Requires CREATE DATABASE, CREATE ANY DATABASE, or ALTER ANY DATABASE
permission.
and for detaching:
Requires membership in the db_owner fixed database role.
If you check the security hierarchy and download the Chart of SQL Server Permissions, you can check what other permission a user will have if he has any of the above permissions.
For example, if he has ALTER ANY DATABASE:
Basically, these rights are on the top of the security hierarchy and if you allow a user the ability to attach database, ze will be able to do other operations overt it, too.
If you don't want to make the user member of sysadmin role, that's OK. You can make the user member of dbcreator role:
I want to provide only READ access to a single table in SQL Server Database for a given user - xyz
Have gone through these questions:
How do I grant read access for a user to a database in SQL Server?
Granting a SQL Server Login Access to a Database - SQL Server
best way to grant read only access to 2 tables in SQL Server 2005?
But it raises some fundamental questions for me, what is the difference in giving the access through role and user name?
Kindly provide a efficient way to do this
I have gotten around this problem in this manner:
CREATE LOGIN XYZ
WITH PASSWORD = 'PASSWORD'
After the login for XYZ is created, then create a user for the above login created
CREATE USER xyz FOR LOGIN xyz
Then grant the select, update permission, in my case it is just select on a particular table
GRANT SELECT ON DBNAME.TABLE_NAME TO USERNAME
The sources I have referred for this are
http://technet.microsoft.com/en-us/library/aa337545.aspx (refer the bottom code part titled create a database user)
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/959f9307-0494-4883-9d17-fad684705864/grant-select-permission-on-a-table?forum=sqldatabaseengine
Granting access through user name is specific only for that user.
But granting access through role is applicable to all the users who belong to that role.
Role is used for assigning permissions to a group of users.
There is a SQL Server 2005 database with mixed-mode authentication.
Among others, we have the following logins on the server: our-domain\developers-group-1, and our-domain\developers-group-2 which are AD groups.
The our-domain\developer-group-2 is added to the sysadmin role on the server, by virture of which all domain users of that group can access any database as SQL Server implictly maps the sysadmin role to the dbo user in each database.
There are two users our-domain\good-user and our-domain\bad-user
The issue is the following: Both the good-user and the bad-user have the exact same AD group memberships. They are both members of our-domain\developers-group-1 and our-domain\developers-group-2. The good-user is able to access all the databases, and the bad-user is not. The bad-user is able to login, but he is unable access any databases. By the way, I am the good-user.
How do I go about finding out why?
Here's what I tried so far:
When I do print current_user, I get dbo
When I do print system_user, I get my-domain\good-user
When I do select * from fn_my_permissions(NULL, 'SERVER'), I see permissions.
But if do execute as user='my-domain\good-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
And When I do, execute as user='my-domain\bad-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
Also, I was wondering if there is a sql command that will tell me, "hey! the current database user is able to access this database because he is a member such-and-such ad-group, which is a login that is mapped to such-and-such user in this database".
If you have the relevant permissions within Management Studio, this shouldn't take too long to work out. It sounds like the bad-user AD group has limited permissions within SQL Server.
You need to check the settings in Security in the GUI, and check the mappings for each of these AD groups - clicking on the databases to see what permissions they have on each database.
Is it possible that you simply have implicit permissions as the creator/owner of the objects, yet no explicit permissions have been granted on the AD groups/roles or to your user individually?
I have created a test user that has sysadmin right in SQL Server 2005 (sysadmin, because i want to profile with this user name also).But i want to restrict that test users access rights to production database.
It is under "logins" and also db name selected under the "User Mapping" tab of its properties with "db_denydatareader" default schema. But it is still can run select statements.
Sorry but once you give SysAdmin access, you've given away the farm. You'll have to create a different role for the test user and then grant access only to the databases you want.